Card Groups Need New Approach to Data Security

The Hannaford Bros. data security breach, which exposed 4.2 million credit and debit cards earlier this year, was certainly a teachable moment for the food retailing industry.

As detailed in an article beginning on Page 28, data thieves, who have yet to be identified, were able to seize consumer card data that was “in transit” along its private network between the POS card reader and Hannaford's centralized payment switch. This happened despite Hannaford's being Payment Card Industry-compliant.

Thus it became immediately clear that compliance with PCI's 12 data security standards is no guarantee of security. Of course, retailers are still expected by the card associations to be certified as PCI-compliant or face stiff financial penalties. But now retailers need to invest in security technology and services that go beyond PCI compliance.

Meanwhile, the urgency of the data security issue was underscored last week when federal prosecutors brought criminal charges against 11 individuals allegedly involved in the theft of more than 40 million credit and debit card numbers from nine retailers.

The PCI Security Standards Council, Wakefield, Mass., set up by the card associations (Visa, MasterCard, et al.) to manage the standards, declines to say if it was influenced by the breach at PCI-compliant Hannaford. Yet the council has been notably busy in recent months. Not long after Hannaford revealed its security break-in, the council announced that a new version of PCI will be coming in October, among other moves.

But those efforts have not done much to calm retailers. As Dave Hogan, chief information officer for the National Retail Federation, Washington, puts it, “Every year they make the guidelines tougher, but it's like building a bigger wall around your data center. The bad guys just bring a bigger ladder to get over it.”

And building the wall is an increasingly expensive proposition. Hannaford has acknowledged spending millions of dollars post-breach to ensure that it doesn't happen again.

The industry is already grappling with the card associations over the interchange rates they apply to transactions, but it may not be too long before it will need to challenge them to do more about data security than just impose PCI standards. For example, it makes little sense for the associations to make signatures, rather than PINs, the vehicle for authenticating credit card purchases. PINs, already widely accepted by consumers for debit and ATM cards, are a far more secure method.

Moreover, the magnetic stripe on credit cards is now an antiquated technology, dating back to the 1980s. Far more secure technologies, such as the microchip embedded in credit and debit cards used in the United Kingdom, should be employed. But that would require a financial investment by the card associations, which would rather have retailers do the investing.